USA – Cyber Incident Reporting Act for critical infrastructure is enacted
21 March 2022
The Cyber Incident Reporting Act will require critical infrastructure entities in the US to report substantial cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity reasonably believes that the incident occurred, and inform about all ransomware payments within 24 hours after making the payment. When significant new or different information regarding an incident becomes available, an entity must provide update reports to CISA of this information until the incident is fully resolved and mitigated.
CISA will issue further regulations in the next 24 months to specify the thresholds for notifiable cybersecurity incidents, the scope of the notification and which information about the mitigation and resolution of the incident should be provided. CISA will need to be notified of all ransom payments, regardless of whether the incident was required to be reported. Entities will also be required to preserve data relating to the incident or ransom payment according to the procedures defined by CISA. The Cyber Incident Reporting Act will not become effective until the final rule is proposed and published by CISA.
The Cyber Incident Notification Act will apply to entities in critical infrastructure sectors, including, for instance, communications, financial services, energy, healthcare, information technology and critical manufacturing. CISA will have powers to compel compliance with the reporting obligations and may refer cases to the Attorney General for civil enforcement actions.
Read the Cyber Incident Notification Act which is part of the Consolidated Appropriations Act 2022 (H.R. 2471).
This article was co-authored by Jose Basabe.